What Information Do You Have Protect To Meet PIPEDA Compliance?

What Information Do You Have Protect To Meet PIPEDA Compliance?

PIPEDA doesn’t have to scary, painful or expensive if you have the right strategy. The Personal Information Protection and Electronic Documents Act (PIPEDA) applies to private companies in Canada, so if you do business in Canada or have Canadian customers, this law matters. Before you acquire software or adjust your processes, you need to start with the basics.

The Key PIPEDA Question: What Information Do You Have To Protect?

 PIPEDA compliance requires careful thought because there is no definitive list of all types of protected information. On the other hand, you don’t have to start from a blank slate either. According to the Office of the Privacy Commissioner of Canada, personal information is “any factual or subjective information, recorded or not, about an identifiable individual.” Specific examples of PIPEDA protected information includes:

  • An individual’s name, income, blood type, ID numbers (this could consist of account numbers with your company), home address, personal phone number or personal email address.
  • Employee files, credit reports, loan information, and medical information.
  • Comments, disciplinary actions regarding a person (e.g., employee performance reviews).

These examples tell us a few crucial points. First, you might assume that PIPEDA only applies to customers and prospects. That is incorrect. The reference to “employee files” and “disciplinary actions” means it is wise to protect personal information relating to Canadian employees and contractors. As a rule of thumb, if you could use a specific piece of information to identify a particular person, such information should be regarded as in scope for PIPEDA.

PIPEDA Exceptions: It Doesn’t Always Apply…

According to the Office of the Privacy Commissioner of Canada, there are situations where PIPEDA does not apply. For example, business contact information (e.g. a person’s business title, business address and business phone number) is not covered by PIPEDA. Note that some Canadian organizations (e.g. schools, universities and hospitals) are not generally covered by PIPEDA because provincial privacy laws apply to them.

If you need detailed guidance to fully identify all information in scope for PIPEDA compliance, you may need to seek expert guidance. Some companies have in-house lawyers dedicated to PIPEDA, while others seek out advice when needed.

Using Process and Software To Enhance Your PIPEDA Compliance Program

Now that you have identified personal information requiring PIPEDA protection, let’s turn to protection. Merely identifying the information is not enough. You also need to take steps to protect that data from disclosure, abuse and misuse. Specifically, a critical factor for PIPEDA compliance lies in establishing safeguards. To simplify this process, let’s look at processes and software you can use to protect personal information.

PIPEDA Compliance Processes: 4 Essentials You Need To Have

There are a few essential processes we suggest implementing to avoid PIPEDA compliance failures. The frequency and intensity of the processes will need to be scaled to your organization’s size and complexity.

1) Security Policy Coverage

Your organization’s security policy ought to formally acknowledge the importance of protecting personal information. To help employees understand the policy, include a few examples of personal data that come up most often in your organization. For example, you might mention the date of birth, home address and account numbers.

2) Employee Awareness and Training

You can have the best policies and software tools in the world but still suffer a PIPEDA failure. Such a failure is likely to happen if you neglect employee training and awareness processes. We recommend working with the human resources department to develop training modules to explain PIPEDA and ways your organization protects such data.

Tip: Consider offering in-depth privacy protection training to employees who handle highly sensitive data regularly. For example, sales and customer service staff periodically handle personal information, so they may need extra guidance and support to stay in line with PIPEDA expectations.

3) Security Safeguard Testing and Audits

In IT security and privacy, there is no such thing as done. Threats in the environment are always changing. There are new technologies that make security more difficult to implement. For example, your organization’s security processes may not be designed to monitor cloud services or SaaS software. That’s one reason it is important to periodically test and audit your security systems. If your organization has an internal audit department, ask them to carry out these tests. Otherwise, you may need to outsource this work to a consultant.

4) Limit Employee Access To Personal Information

The more people who have access to PIPEDA protected personal information, the higher the risk you face. Therefore, we suggest limiting access as much as possible. For example, the accounting department probably does not need access to the customer relationship management (CRM) database.

PIPEDA Compliance Software: Systematic Safeguards Start Here

PIPEDA expects companies to implement safeguards to protect information. That includes physical protections such as locked doors and locked cabinets. More importantly, given the volume of digital data, you also need to apply digital safeguards. Here are a few ways to leverage identity and access management software.

Optimize User Accounts

Instead of manually setting up user accounts, use software automation to make the process easier. With Group Enforcer, it is easy to set up user accounts based on job role. That means people doing similar jobs will automatically have the same system access. For managers, this group approach means less time spent on tinkering with user access. Less time spent on the details means you can focus more on significant picture security threats and strategy.

Enable Security Testing and Audits

No security solution stays perfect without testing. For example, you may start expanding your customer service and sales in Canada. To provide that level of service, you begin collecting more personal information about your customers. As a result, your old approach to PIPEDA compliance no longer works. Fortunately, you can mitigate this problem by using Compliance Auditor, security software that automates access governance compliance. It automatically tracks all access requests so you can easily monitor and audit changes, even on the cloud.

PIPEDA Compliance Is Easy When You Do This…

PIPEDA compliance doesn’t have to break the bank. Use the tips in this guide to implement safeguards and guide your employees to success.

Written by Nelson Cicchitto